2016 was a record setting year for data breaches and hacks. In the last few months of the year Yahoo began making headline news for all the wrong reasons with two stories around how it was the victim of the largest cyber-attack in history, the largest of which saw one billion being compromised. Making this situation all the more worst for Yahoo, was the fact that it was in the process of being acquired by Verizon. This hack in fact has resulted in Verizon paying $350 million less for Yahoo and receiving confirmation from Yahoo’s board that any future legal costs or reparations will be jointly covered. The bad news of companies across the globe is that Yahoo’s attack is likely to only be the beginning. As cyber attacks escalate in both their volume and size the dangers to companies looking at acquiring others rises.
Part of the problem for the acquirer is the sheer size and scale that many merger and acquisitions (M&As) take. With so many moving parts involved in a large scale M&A, the implications of forgoing cyber security checks can be far from the buyer’s mind. Contracts, staffing and legal frameworks, often appear more pressing as deadlines approach than carrying out cyber security checks. Nevertheless, overlooking checks can prove detrimental later on, when contracts have already been signed and deals are completed. Once a data breach is found, even if it took place years before an acquisition was planned, as it might have happened in Yahoo’s case, the purchasing company can be held responsible and consequently suffer the penalties, charges and inevitable loss of reputation.
Eventually, when a data breach does come to light, reputations and financial losses can quickly escalate. For those who worked hard on the deal, a career defining moment can instantly turn into a dreadful and ongoing nightmare.
The damage done
Verizon’s deal to buy Yahoo is just one example of what can happen if the correct cyber security checks are not carried out. What seemed like a straight forward M&A deal between two of the world’s largest technology companies, quickly evolved into a PR disaster. With Verizon having agreed to buy Yahoo for $4.8 billion, it quickly became clear that the correct checks had not been carried out and that the deal might not happen. Once the dust had settled, and the legal teams from both parties had reached an agreement, a sizeable discount was added, bring the value of Yahoo down by $350 million.
The cost of an attack
In many ways though, Yahoo and Verizon can be seen as getting off lightly. The financial impact of a data breach can easily spiral into large sums of money, with some estimates placing the average cost at $221 per stolen record in the US. If this is applied to the smallest of Yahoo’s reported attacks the total would be over $100 billion. Furthermore, a company’s share price tends to dip after a breach, with the likes of TalkTalk slashing 20% off its share price in the months after its widely broadcast cyber-attack. It is quite clear that forgoing cybersecurity checks can cost businesses billions financially and make a once priceless brand name, almost completely worthless.
In the end though, the Verizon-Yahoo deal survived. With a long-established history in the internet as well as strong loyalty among its users, the company shrugged off the hacks with relative ease. Regardless of the size of the damage, businesses both big and small should take a lesson from the Yahoo hack. Most companies are unlikely to be so fortunate. For a small start-up, the cost of fines and legal fees could be detrimental while the loss of customer trust is likely to be even worse. So how can businesses empower and protect themselves from a cyber-attack when considering an M&A? There are three key steps that can help protect the investment:
Audit potential breaches: Carrying out a risk audit of potential breaches, assessing both the societal and financial factors that might increase the likelihood of becoming a cyber-target will help M&A analysts calculate whether the eventual acquisition is cost effective.
Regulatory industry standards: Companies within certain industries are obliged to maintain a secure environment that will mitigate risk of cyber-attacks and protect user data. For instance, Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information do so in a secure fashion. Ensuring that potential purchases are compliant with these standards is essential in M&A deals.
Seek expert help: Cyber security systems are complex and require in-depth knowledge and understanding of how to navigate them safely and effectively; without compromising existing structures. It is therefore highly recommended that M&A analysts enlist the help of cybersecurity consultants to advise them on the suitability of a potential purchase.
Protecting yourself during an M&A
It seems pretty certain at this stage that what was seen with Yahoo and Verizon is only the beginning. With technology companies continue to consolidate, and hacker sonly getting more and more sophisticated in the style and types of attacks they perform, more business are likely to fall prey to these unforeseen attacks. As a result, it is in the best interests of the purchasing company during an M&A to calculate and identify cyber security weaknesses and breaches in the business they intend to buy. Thinking about cyber security earlier in the M&A process and carrying out a full cyber security due diligence investigation and report can only help limit issues and the chance that a deal falls through. Next time you are planning an M&A, make sure you get cyber security experts in to perform the correct due diligence. Failure to do so may cost more than you think.
Brian Pennington, regional sales director, EMEA for Coalfire
Image Credit: ESB Professional / Shutterstock